Singapore government aims to set IoT security baseline

CYBERSECURITY concerns around the internet of things (IoT) have plagued the minds of several business leaders for the past few months — especially as the technology becomes ripe for industrial adoption.

However, given the potential of IoT in the smart cities ecosystem and the many ways it can integrate businesses with government agencies such as customs, excise, and indirect tax authorities among others, regulators too are concerned about security.

As a result, in order to help businesses continue to develop the technology safely, Singapore’s Infocomm Media Development Authority (IMDA) has issued a new consultation paper: “Consultation for IoT Cyber Security Guide“.

Although still open for discussion, the baseline recommendations that the IMDA provides in the document are quite robust and might evolve into a set of benchmarks followed for IoT implementations and operations nationwide.

According to the document, the recommendations cover four fundamental IoT security design principles secure by default, rigor in defense, accountability, and resiliency.

The IMDA is mindful that individual products are used to implement a system and the system operates in the context of an organization’s processes, policies and people.

“The increasing levels of integration, from product to system and finally organization require additional considerations, as the overall security posture is only as strong as its weakest links. Together, the recommendations are fundamental to safeguarding the IoT system systematically and over its lifecycle,” the document explained.

Here’s a more elaborate explanation of the IoT recommendations for the implementation and operations stages:

# 1 | Secure by default

During the implementation phase, IMDA recommends that products/solutions employ only current and industry accepted cryptographic techniques and applicable best practices.

The regulator also recommends that organizations check for authenticity, and protected from disclosure and modifications by unauthorized parties when dealing with impactful data, and ensure that all sensitive communications to/from IoT devices shall be encrypted.

In terms of operations, IMDA simply recommends that organizations stress on the use of strong passwords.

“Default passwords should be changed and strong passwords should be used. Strong passwords should preferably consist of 8 or more characters comprising a combination of letters and numbers.

“It is also encouraged that symbols and upper-case characters be used to enhance password strength. Multi-factor authentication should always be enabled, where possible, for access to critical information.”

# 2 | Rigor in defense

During the design stage of an IoT project, IMDA recommends that organizations conduct threat modeling based on the intended usage of IoT devices in their operating environment as proposed in the solution design.

To help businesses, the guidelines document is accompanied by a checklist outlining what an ideal threat model should look for.

The recommendations also suggest that organizations emphasize on establishing a hardware Root-of-Trust.

A hardware Root-of-Trust is a tamper-protected hardware module that stores and protects the keys of the devices so as to provide a firm foundation for other security mechanisms to build upon, hence achieving higher assurance of security.

“Hardware Root-of-Trust should be established for key system components, which include IoT gateways and IoT platforms, as they may host sensitive data and execute impactful operations. For example, hardware Root-of-Trust can be based on a Trusted Platform Module (TPM) chip embedded in the device.”

Finally, during the implementation stage, the IMDA recommends employing secure versions of transport protocols so as to effectively protect the data in transit.

During the operations stage, the IMDA simply recommends segregating IoT and enterprise networks as a single compromised device can be the attack vector into your enterprise systems.

“Network segmentation should be employed so that IoT devices belonging to different networks can be properly segregated from one another and also from other corporate enterprise systems and networks.

Firewalls and malware mitigation solutions should be implemented to protect each network whenever possible.”

# 3 | Accountability

During the implementation phase, the recommendations suggest that organizations focus on enforcing proper access controls.

“Access to system resources shall be controlled and managed throughout its lifecycles, minimizing opportunities for malicious actors. Default passwords and weak passwords are the most commonly exploited vulnerabilities.

“The use of Multi-Factor Authentication (MFA) provides a higher assurance of the identity of initiators, enhances accountability and mitigates against mistakes.”

While operational, IMDA recognizes that IoT users and IoT providers may be dependent on IoT developers to provide patches for new vulnerabilities in a timely manner, but recommends that a proper framework or workflow is established for device management.

“An inventory of connected devices, software, and firmware versions should be kept and up-to-date patches should be applied throughout the “Operational” lifecycle stage.

“Access controls, including for physical access to IoT devices, should be strictly enforced. IoT users and IoT providers should subscribe to notifications and advisories issued by IMDA’s ISG-CERT and CSA’s SINGCERT, as appropriate, to be apprised of newly discovered vulnerabilities and threats to IoT and ICT systems.”

# 4 | Resiliency

The final principle, resilience, serves as a way for the IMDA to tell IoT developers to be proactive when it comes to IoT security.

It emphasizes that organizations must prepare to protect the IoT ecosystem against attacks, even during the implementation stage.

“Firewalls and anti-malware software should be employed to prevent, detect, identify, stop and remove malicious software, especially known ones. The system should have audit log capability that records all attempts at accessing or altering system resources.”

Obviously, the bulk of the IoT network’s resilience is tested during the operational phase. Hence, IMDA recommends that organizations take regular backups of system data (include settings) as well as undergo a regular disaster recovery exercises for systems in order to facilitate its recovery from an attack.